Where is your Windows Password stored?
Windows Password is stored in the SAM File located at C:\Windows\System32\config. The file is locked and cannot be moved while Windows is running. The Windows Password is also stored in another location, in the SAM Registry under HKEY_ LOCAL_MACHINE.
How is your Windows Password stored?
Windows Password is not stored in plain text, it is hashed:
- First field: the username
- Second field: the SID (Security IDentifier) for that username
- Third field: the LM hash
- Forth field: the NTLM hash
When a user tries to log in to its account, Windows will calculate a hash of the password typed in. If the hash is equal to the password hash stored the SAM registry file, the authentication succeeds. Otherwise, Windows will show an error message that the credentials are incorrect.
Memory Forensics acquisition and analysis
This example uses the tool AccessData FTK Imager.
Step 1: Get the memory dump
Go to File > Capture Memory.
Select a destination path such as your Desktop and click Capture Memory.
Step 2: Choose a memory forensics tool
Volatility is an open source framework used or memory Forensics and can analyze RAM in both 32bit and 64bit systems.
The main goal of using Volatility is its ability to peruse through Windows registry using some modules.
The list of registry analysis modules is available at “Registry Analysis Plugins” section on SANS website: https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf
Step 3: Select the correct profile for volatility
Before analyzing the memory dump with volatility, the OS profile should be defined at first.
For example, if the memory image is a 64-bit Windows, the profile is Win10x64.
If the command line doesn't show any result, then you will have to specify the OS version in the profile section.
On Windows 10, you can find the OS version in the System Information Panel.
The syntax is:
python vol.py [plugin] -f memdump.mem --profile= Win10x64_16299
Step 4: Get the SYSTEM hive and the SAM hive’s offset
With hivelist plugin we can list all available hives with their offset.
The syntax is:
python vol.py hivelist -f memdump.mem --profile= Win10x64_16299
0x9aad6148 0x131af148 \SystemRoot\System32\Config\SAM
0x9ab25008 0x14a61008 \SystemRoot\System32\Config\SECURITY
0x9aba79d0 0x11a259d0 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x9abb1720 0x0a7d4720 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x82b6b140 0x02b6b140 [no name]
0x8b20c008 0x039e1008 [no name]
0x8b21c008 0x039ef008 \REGISTRY\MACHINE\SYSTEM
Step 5: Get the NTLM hashes
Now using the hashdump plugin we will extract the hashes. Two parameters must be specified: “-y” which is the system hive offset and “-s” which is the SAM hive offset.
For this example:
- The SAM hive offset is 0x9aad6148
- The system hive offset is 0x8b21c008
python vol.py hashdump -f memdump.mem --profile= Win10x64_16299 -y 0x8b21c008 -s 0x9aad6148 > hashes.txt
Step 6: Recover NTLM password from the hashes
Online tools such as hashkiller NTLM Cracker and Crackstation can help you to get the plain-text password from the NTLM hashes. There are other brute force tools like john the ripper which require a word dictionary. If you are using Kali, you will find rockyou.txt at /usr/share/wordlists.
Example with fgdump
1. Download the current stable version from http://foofus.net/goons/fizzgig/fgdump/downloads.htm
2. From a terminal, type .\fgdump.exe
3. After a few seconds three files are created
4. The hashes are stored in 127.0.0.1.pwdump
5. Edit this file with notepad to get the hashes
6. Crack the hashes like described in part 6